An indicator of compromise (IOC) is an observable (e.g., an artifact)—or a set of observables—on a computer, computer network, or operating system that indicates an intrusion of that computer, computer network, or operating system. Some IOCs indicate the presence of a computer virus or malware. Specific examples of IOCs include virus signatures, IP addresses, hashes of malware files (e.g., MD5 hashes), and URLs of botnet command and control servers. As a more specific example, a virus might typically be stored under the file name “[VIRUS-NAME].EXE,” so finding a file named “[VIRUS-NAME].EXE” on a computer indicates that the computer has been compromised by the virus.
Many indicators of compromise, however, are not as simple as a file name for a known virus. Instead, detecting some indicators of compromise requires expending significant computational resources and time, so there is a significant computational cost associated with detecting these IOCs. Moreover, in some circumstances, there may be an easy way and a hard way to detect a particular threat. For example, although a virus might typically be stored under the file name “VIRUS.EXE,” the virus's file name may have been changed to avoid detection. In such cases, a more complex operation, such as a MD5 hash of the file contents, might reveal a reliable indicator of compromise. Therefore, either the file name or “VIRUS.EXE” or the MD5 hash value for the file contents indicates the threat.
But conventional methods of threat detection do not take into account the computational costs (e.g., computational resources and time) that arise from evaluating different indicators of compromise. Conventional methods of threat detection are no more likely to first try to detect a threat the easy way than the hard way. The result is a needlessly high expenditure of computational resources—and administrators' time—spent on threat detection, and possibly undesirable consequences due to delays in detecting and remedying the threat.